To try everything Brilliant has to offer-free-for a full 30 days, visit brilliant.org/Ardens/ . You’ll also get 20% off an annual premium subscription.
One thing quantum computers are millions of times faster then regular computers and this is early quantum computers so in the future they could be much much faster so a brute force will go from taking 20 years to 2 seconds (yes they are that fast)
you forgot the "call the person and openly ask for their password" it works more often than some would think... edit/note: I'm not talking about phishing, I'm talking about literally calling and saying "hi what's your password I'm gonna steel your stuff"
"Hey its me, your (insert family or associate). I meant put some money onto (account) for you. Whats the password again?" Hearing that with no expectations of an attack or when you are stressed/very busy is all it takes for you to speak before you think.
Especially now that PayPal, SoFi, etc are all using these third parties that just ask for your BANK PASSWORD to be able to transfer money from bank to their accounts, basically normalizing this behavior and calling it "secure"
you know that you can navigate a web page with only the keyboard and when filling in multiple things it's way faster then reaching for a mouse or touchpad so it's not bullshit if it's like they guessed the things with hints though in reality the dude probably just going to run a shortcut so they're just going to be using the mouse
I mean, condoms prevent you from receiving malicious (viruses) or just unwanted in a particular case (sperm) genetic data, which is not far from cybersecurity
Dumpster diving worked ... in the 60s and 70s. My University printed the new users passwords on a shared printer accessible to all professors and post graduates. The sheet got there until someone get to claim it allowing a lot of time for anyone to copy it.
@@neoleonor7140 Off course there were: IBM 360 was launched in 1964, PDP 11 was launched in 1970, Centurion in 1964. Even microcomputers: Sphere was from 1975.
As a sidenote, it's much more efficient to make a password longer, than to add special characters, as the amount of possible passwords is the number of allowed characters to the power of the amount of positions. So simply making a passworld longer increases cracking time exponentially, while forcing the user to use a special character increases the time linearly and also makes the password much harder to remember
When i rented from a friend of mine who was paranoid about his cyber security, his wifi pasword was literally 100 characters long...which required him to keep it in a digital document he messaged to me to copy and paste....completely obviating the point of such a long password
If anyone's curious, I did some math: There's 52 possible letters you can use (26 lowercase and 26 uppercase) and 42 numbers/symbols. If you have an 8 character password with just letters, then you have 52^8, or 5.3×10^13 possible combinations. With special characters and numbers, you'd then have 84^8, or 2.5×10^15 combinations. Adding a ninth character to a password with only letters brings the possibilities to 2.8×10^15, about 12% more than making a character special. Say we have the same 8 character password, but a number and special character are required. Most people would only put one of each in their password, so a hacker might reasonably assume this. Interestingly, the password is not much better, with a total of 10*32*52^6*8*7, or 3.5×10^14 passwords possible. This is an increase of 663%, whereas adding a 9th letter increases the number by 5,200%, and assuming any character could be anything increases by 4,637%. This last scenario typically only happens if someone has a password manager.
@@Arceus3251 I wouldn't be so sure - social engineering tactics are a tactic anyone in security-focal roles can absolutely capitalize on, and from there, you have an effective attack vector. Human error is notably the most likely breach of security, and when you compare "human stupidity" versus "the size of the universe", you will find the former _vastly more infinite._
Here's one insanely impractical one: Using CPU vulnerabilities like Meltdown, a threat actor can probe a locked machine and try a password character by character. Since the CPU has already loaded the correct passwort into memory, the actor can see if the character is correct, based on how long the response takes. A correct character gets a slightly slower response, at which point the actor can start trying the next character until the whole password is know.
Level 11: Rule based attack Basically a dictionary attack, however, an attacker has a list of predefined rules such as "replace the letter a with @" or "add a number to the end to the password" or "capitalise the first letter". These are useful for working with those pesky password policies. Although these attacks can still take a long time depending on the target
Level 12: Password spraying attacks A lot of services will block you if you attempt to try to log into a person's account too many times. Hence, attackers will only try 2-3 common passwords per an account before trying the next one. This is really good if you have hundreds of known or easily guessable accounts
Don’t delete the data in the drive, format the drive instead so that data recovery tools can’t even detect the file even existed. Don’t use ‘quick’ format options as that doesn’t override data that was on the drive in the first place. Deleting and removing data have very different meanings. Deleting removed the symbolic link to the file (so programs like RecycleBin can detect the file and restore the contents in the exact same directory of where the file was deleted), erasing it makes any data unreadable.
there's tools that overwrite drives with random bit values and then format to totally shred any residual data as I think some filesystems can retain a cache or something
6:05 Huh, I'd like to see at least ONE reference to the term 'adversary in the middle attack' actually being used. I've always heard MITM or on-path attack.
Fun fact: if you memorize alt codes, you can generate a secure numeric string using more fancy ASCII characters. I actually hide a couple of these characters in my passwords just because I can, and it's fun hearing blackmailers get confused when an old account finally gets breached. Just make sure you use alt codes you can easily remember, like 256, 69, or 42. I'm not on my computer RN, so I can't demonstrate what these examples would be, but if you're crazy enough, you can have a password that uses only alt codes, and I'm considering integrating it as part of the arg handbook
@@JamesTDG 204 and similar are fun too, along with emojis, just make sure you don't need that account on other devices because emojis can be hard to match sometimes
The best brute force hacking tool: RNG to make a variable length string + RNG to fill each character of it + GPU = profit, or just use the infinite monkeys with typewriters
1:40 Actually, you would be shocked how many people would toss away sensitive data on paper or hard drives. It's extremely likely, and usually with older generations, that their passwords are written down. Or passwords are literally just, password123.
Is funny that as I progressed in my university cs study. I now understand more and more of what people are referring to, which is great cause I genuinely enjoy uni and learn a lot off actual useful cool shet. Edit: also my professor once told me most attacks actually came from within, because people can’t do much when the “attackers” is within the protections
3:51 Length is more important, and the latest recommendations from NIST emphasize length, not numbers and symbols. It used to be assumed a (one) short password would be easier to remember even if complex, but now we use lots of accounts, and in the "real world" the old rules cause vulnerabilities by people writing them down (see dumpster diving, shoulder surfing) or reusing them (credential stuffing).
Level 13 super brute force if level 12 doesn’t work Super brute force well basically always work because in like a few tries it’s like brute force, but But it’s the most efficient possible it gets more efficient every time you do it
note about complexity requirements: they don't actually improve the strength of a password. The best way to improve the strength is to add more characters (recommendation is at least 15 characters)
The "credential stuffing attack" is probably more dangerous now. Now that we have Ai, in theory, it can probably guess each person's tendency and common words used in the password. Making it guess similar passwords that the users probably have. And this is wayyy more efficient than brute forcing attacks or dictionary attacks. So everyone, dont just make different passwords, make them different enough
@@Ardens. Does a reduction function always produce a single result? And that's why you hash and "reduce" the output many times over, trying the possible unhashed output each time as the possible original password?
As someone who developed a working cross-platform brute forcing script it is really easy to break into accounts even if its a "level 1" hacking method.
2:03 No, if you just delete it permanently, it is retrievable, and recoverable, even if it’s overwritten, so instead you smash the hard drive or SSD and destroy it into oblivion, or in more violent situations, the entire computer.
For brute force, do special characters really help that much? The alphabet, lower and upper case, give you 52 characters, numbers give you an additional 10, and so do the standard 10 special characters. Wouldn't it be better to just add more characters?
I thought brute force attacks were almost complete useless now due to systems having limited wrong attempts before locking the account and sending out warnings.
To be clear, any divice works for dumpster diving. Cheap smart divices hold your wifi passwords, usally unencrypted. Also the part about him destorying the divice isnt a joke. Deleting files from a hard drive doesn't delete them. And even writing over them isnt always effective. Ssd's should be fine with wiping tho (not sure check yourself)
To try everything Brilliant has to offer-free-for a full 30 days, visit brilliant.org/Ardens/ . You’ll also get 20% off an annual premium subscription.
first 🤓🤓🤓
brilliant stop sponsoring every fucking youtube video i watch
@@number1-willstetsonsimp you're not the only one
One thing quantum computers are millions of times faster then regular computers and this is early quantum computers so in the future they could be much much faster so a brute force will go from taking 20 years to 2 seconds (yes they are that fast)
@@Torger726 hi n
"Dumpster diving attack has something to do with retrieving passwords from the cache or something, right? Oh, it's literal dumpster diving. Nevermind"
The most powerful technique of all: Social engineering.
Can have the tightest security in the world, but a man's lips is the loosest.
NIKOCADO AVOCADO ONLY FAN ON MY PAIGE LEAKED!
but what about a woman's lips?
@@averagejoey2000bad down
isnt social engineering almost the same as phishing?
@@kylesnotepic Phishing is a form of social engineering
you forgot the "call the person and openly ask for their password" it works more often than some would think...
edit/note: I'm not talking about phishing, I'm talking about literally calling and saying "hi what's your password I'm gonna steel your stuff"
"Hey its me, your (insert family or associate). I meant put some money onto (account) for you. Whats the password again?"
Hearing that with no expectations of an attack or when you are stressed/very busy is all it takes for you to speak before you think.
Idk man, fairly sure I'd notice if my dead father called me.@@starplane1239
So. What is your password?
Bold of you to assume I know my password
Especially now that PayPal, SoFi, etc are all using these third parties that just ask for your BANK PASSWORD to be able to transfer money from bank to their accounts, basically normalizing this behavior and calling it "secure"
Level 11: Typing a bunch of stuff without touching the touch pad or mouse and then muttering "I'm in."
Works every time.
thats why i use it all the time
you know that you can navigate a web page with only the keyboard and when filling in multiple things it's way faster then reaching for a mouse or touchpad so it's not bullshit if it's like they guessed the things with hints though in reality the dude probably just going to run a shortcut so they're just going to be using the mouse
@@cameleon2mur80yapping
Bro on some penguins of Madagascar ass shit
@@gemstonepuppetcrying
That condom analogy caught me off guard lmaooo
On a cyber security video, why does this not surprise me…
So true, imagine watching the video in public and with no headphones
I mean, condoms prevent you from receiving malicious (viruses) or just unwanted in a particular case (sperm) genetic data, which is not far from cybersecurity
@@kwameappiahkumi5833 no living soul should ever watch any videos in public
Lmaol!!!!!
Dumpster diving worked ... in the 60s and 70s. My University printed the new users passwords on a shared printer accessible to all professors and post graduates. The sheet got there until someone get to claim it allowing a lot of time for anyone to copy it.
NIKOCADO AVOCADO'S PATREON ON MY PAIGE LEAKED!
Aren't there no computers in the 60s or 70s
@@neoleonor7140there were, but very basic
@neoleonor7140 there was in 1962 I think
Before 1962 we only used PCs for Rockets and shi-
@@neoleonor7140 Off course there were: IBM 360 was launched in 1964, PDP 11 was launched in 1970, Centurion in 1964. Even microcomputers: Sphere was from 1975.
As a sidenote, it's much more efficient to make a password longer, than to add special characters, as the amount of possible passwords is the number of allowed characters to the power of the amount of positions. So simply making a passworld longer increases cracking time exponentially, while forcing the user to use a special character increases the time linearly and also makes the password much harder to remember
This assumes a brute force attack. Dictionary attacks don't care that much about it.
When i rented from a friend of mine who was paranoid about his cyber security, his wifi pasword was literally 100 characters long...which required him to keep it in a digital document he messaged to me to copy and paste....completely obviating the point of such a long password
The safest password I ever used was a three verse poem. Easy to remember because it rhymes and insanely long.
If anyone's curious, I did some math:
There's 52 possible letters you can use (26 lowercase and 26 uppercase) and 42 numbers/symbols. If you have an 8 character password with just letters, then you have 52^8, or 5.3×10^13 possible combinations. With special characters and numbers, you'd then have 84^8, or 2.5×10^15 combinations. Adding a ninth character to a password with only letters brings the possibilities to 2.8×10^15, about 12% more than making a character special.
Say we have the same 8 character password, but a number and special character are required. Most people would only put one of each in their password, so a hacker might reasonably assume this. Interestingly, the password is not much better, with a total of 10*32*52^6*8*7, or 3.5×10^14 passwords possible. This is an increase of 663%, whereas adding a 9th letter increases the number by 5,200%, and assuming any character could be anything increases by 4,637%. This last scenario typically only happens if someone has a password manager.
@@AkiraTheCatgirl0 kudos to you for actually crunching the numbers
so many people got into my alt account to dox me that they can't even dox me anymore because there's 200 devices all in different places
That's pretty funny NGL
@@actuallyasriel if you think that is funny you haven't seen my sandbox the viruses are breaking each other by infecting the other viruses
@@cameleon2mur80
*Natural selection*
@@cameleon2mur80 Bro that's not a sandbox that's a petri dish
yo i got a biologist and a historian in the comments lets go
"I know jackshit about cyber security"
I hold a degree in cyber security. This is significantly more than "jackshit"
Very informative, cheers!
If anyone knew as much as he said here, people's secuirty would be way safer and have a better life
@@dubbyplays It'd put me out of a job, though
@@Arceus3251 I wouldn't be so sure - social engineering tactics are a tactic anyone in security-focal roles can absolutely capitalize on, and from there, you have an effective attack vector.
Human error is notably the most likely breach of security, and when you compare "human stupidity" versus "the size of the universe", you will find the former _vastly more infinite._
The real twist is that this video was not sponsored by a VPN or a password manager.
Here's one insanely impractical one:
Using CPU vulnerabilities like Meltdown, a threat actor can probe a locked machine and try a password character by character. Since the CPU has already loaded the correct passwort into memory, the actor can see if the character is correct, based on how long the response takes. A correct character gets a slightly slower response, at which point the actor can start trying the next character until the whole password is know.
number 1 lesson in cybersecurity, you are always the vunerability. called the phishing attack one right off the bat
Did you update the report?
8:11 unexpect user on your family plan💀
ikr
I like to imagine that Shitbird is used for Twitter
Level 11: Rule based attack
Basically a dictionary attack, however, an attacker has a list of predefined rules such as "replace the letter a with @" or "add a number to the end to the password" or "capitalise the first letter". These are useful for working with those pesky password policies. Although these attacks can still take a long time depending on the target
Level 12: Password spraying attacks
A lot of services will block you if you attempt to try to log into a person's account too many times. Hence, attackers will only try 2-3 common passwords per an account before trying the next one. This is really good if you have hundreds of known or easily guessable accounts
Having the password at 4:04 was either brilliant or accidental but I love it either way.
what password? i didnt notice any other paswords except k_O8v3
Don’t delete the data in the drive, format the drive instead so that data recovery tools can’t even detect the file even existed. Don’t use ‘quick’ format options as that doesn’t override data that was on the drive in the first place.
Deleting and removing data have very different meanings. Deleting removed the symbolic link to the file (so programs like RecycleBin can detect the file and restore the contents in the exact same directory of where the file was deleted), erasing it makes any data unreadable.
there's tools that overwrite drives with random bit values and then format to totally shred any residual data as I think some filesystems can retain a cache or something
Formatting doesn't affect the data, it's still visible to recovery tools. You need to overwrite it as well or use full disk encryption
Can i physicaly burn it
@@svyetochkaum I'm sure that'd work as long as you do significant damage
@@svyetochka Yes. This is significantly more effective than any software-based solution.
6:13
*That one illegal hacker woman that was offended by the name be like*
The fuck are you talking about
@@jaceyjohnson8922 man-in-the-middle > adversary-in-the-middle... Like who cares that it is "man" in this case, it is man as in human and not man
The scrungle
@@gabrielarrhenius6252I think you mean huperson
@@jaceyjohnson8922 are you stupid or something
6:05 Huh, I'd like to see at least ONE reference to the term 'adversary in the middle attack' actually being used. I've always heard MITM or on-path attack.
Same
It was a joke I think
Man in the middle rolls better on the tongue. I'll keep using it or else also rename hangman to hangperson
no hangman is more iconic
its a joke....
transwomen are holding up our infrastructure so they had to change it smh
But he did use it....
@MediocreContentEnterprise_ _ _ _ _ _
3:59 Imagine having that exact password and it randomly showing up here
Fun fact: if you memorize alt codes, you can generate a secure numeric string using more fancy ASCII characters. I actually hide a couple of these characters in my passwords just because I can, and it's fun hearing blackmailers get confused when an old account finally gets breached. Just make sure you use alt codes you can easily remember, like 256, 69, or 42.
I'm not on my computer RN, so I can't demonstrate what these examples would be, but if you're crazy enough, you can have a password that uses only alt codes, and I'm considering integrating it as part of the arg handbook
@@JamesTDG 204 and similar are fun too, along with emojis, just make sure you don't need that account on other devices because emojis can be hard to match sometimes
7:29 Okay, that one was unexpected!
just under 1234567 and above 1234567890
**visible confusion**
2:45 might as well worry about your vrginity getting stolen too
😏
i hate when hackers break into my home and do that
7:03 nice choice of anime right there
¿Name of the anime?
Anime?
@@bratluv57 Clannad
@@Camilux07 Clannad
just remember: your strongest password security is only as strong as your dumbest employee.
Ayoo, I'm glad to see you're back! Hope to see more. Great video
People laughing about the "treat your passwords like condoms" part but the one that made me laugh the most was "shitbird"
man i love your references,
"unless you are taking a train in tokyo during rush-hour" XD
1:30 evidently you haven't seen my mother's work laptops
Still have my old laptops sitting around because E-waste poisoning is no joke.
@@SupersuMC Hers have the password taped over the camera, really shows her priorities
The best brute force hacking tool: RNG to make a variable length string + RNG to fill each character of it + GPU = profit, or just use the infinite monkeys with typewriters
The monkeys said they were hungry. Anyone got infinite bananas I could borrow
I like how anything past level 3 is just a variant of social engineering, proving that a human is the weakest link in cybersecurity
8:13 Always use your passwords like a .... , well, thanks, I leaned it well.😂
the "unexpected member of the family plan"
"Unless you're on a train. In Tokyo,at rush hours, and then having your password stolen should be the least of your worries" had me cracking up
When the police goes on a manhunt, I hope they change it to person-thingy-hunt too.
I love how “shitbird” is a common password.
1:40 Actually, you would be shocked how many people would toss away sensitive data on paper or hard drives. It's extremely likely, and usually with older generations, that their passwords are written down.
Or passwords are literally just, password123.
sponsor ends at 5:26. you're welcome
It's usually exactly one minute long so if you skip one minute 70% of the time you'll skip just the ad
My collage teachers still call it man-in-the-middle attacks
I dont think many people know, or care, about politicizing IT terminology
@@piroman85 so true, so when it happens it is just stupid
@ReaverSoul no
@@gabrielarrhenius6252 He is, you're just stupid.
2:03 Green me stay alone ramp
Level 11: An Hacking Organization level captable to Defeat AES-256 in just couple days
Level 12: A Guy who eats AES-256 as breakfast
That Winney the Poo meme about S.Q.L. or "sEqUeL" was a personal attack.
Where's squeal
What is your math confort level? 4:30
Me: 1+1
the art for this one is awesome.....................
I would love to see a video like this with the best hash function specific for storing passwords!
5:27 where the sponsor ends
Thank you, sir
You are the goat 💯
2:10
I did this once to get on the family computer.
didn't we all
Level 2: You do not reliably destroy data by beating it. First, fry it in the microwave, then bake it in the offen and then smash it.
Is funny that as I progressed in my university cs study. I now understand more and more of what people are referring to, which is great cause I genuinely enjoy uni and learn a lot off actual useful cool shet.
Edit: also my professor once told me most attacks actually came from within, because people can’t do much when the “attackers” is within the protections
Another unusual type of attack is Clairvoyance
Its been a minute, but hes back...
brute force + quantum computer = absolute disaster
6:10 ah yes feminism 😂
3:51 Length is more important, and the latest recommendations from NIST emphasize length, not numbers and symbols. It used to be assumed a (one) short password would be easier to remember even if complex, but now we use lots of accounts, and in the "real world" the old rules cause vulnerabilities by people writing them down (see dumpster diving, shoulder surfing) or reusing them (credential stuffing).
Dictionary Attack
PC: Use a dictionary to steal someones password
School:*GETS HEADSHOT BY 1800 PAGES OF WORDS*
I mean if somebody threw my country's dictionary at me I'd probably die or get severe brain damage
@@damy2433 I know right?
Level 12: Asking (remember to say the magic word)
Level 13 super brute force if level 12 doesn’t work Super brute force well basically always work because in like a few tries it’s like brute force, but But it’s the most efficient possible it gets more efficient every time you do it
Number 11: Oopsie daisy, your company accidentally made the database indexable on search engines
what a thorough and engaging review, learned a lot!
Very smooth ad-roll intro
Don't forget there are people out there with the same password as their username 😂
“If brute force doesn’t work, you aren’t using enough of it”
no way ardens is alive!
Rainbow table is not pasword:ifyouhackemeyouaregay
hacks you immediately (for legal reasons this is a joke)
p♂️ass♂️word
I mean thats rainbow so i guess
Which gay is this? The umbrella term for the lgbt+ or the dude who doesn't wear socks
The guys who says "homo" after doing something straight.
note about complexity requirements: they don't actually improve the strength of a password. The best way to improve the strength is to add more characters (recommendation is at least 15 characters)
The "credential stuffing attack" is probably more dangerous now.
Now that we have Ai, in theory, it can probably guess each person's tendency and common words used in the password. Making it guess similar passwords that the users probably have.
And this is wayyy more efficient than brute forcing attacks or dictionary attacks.
So everyone, dont just make different passwords, make them different enough
here's my foolproof measure against phishing attacks; I just don't check my email lol
The Shoulder Surfing sounds so dumb that I thought you made it up
2:03 Just Format your HDD (without fast formatting), not destroying your computer
That is not a guarantee. For hard drives, if you really want to be secure, you need to destroy them. One way is degaussing.
2:44 oh yes, the classic doujin plot
*6:31** this should be "squeel". I heard one guy pronounce it like that*
0:35 they convert a hash into a password? Isn't a hash's property that it can't be converted into the input?
A reduction function doesn’t convert a hash into its original plaintext form, but instead an arbitrary plaintext potential password
@@Ardens. Does a reduction function always produce a single result? And that's why you hash and "reduce" the output many times over, trying the possible unhashed output each time as the possible original password?
I learnt so much, thank you!
6:10 human in the middle🗿
"This is impossible! Never in my life would I be able to get this right!"
Guessing: 😏
Straight to the point, nice
Brute force goes hard, not only in this context.
06:30 Oh heck, that one got me. Exactly how I feel on the matter, too.
Thanks for the tutorials :3
3:59 which is now made to a couple seconds thanks to your video
complex passwords are difficult for the user, versus passphrases which are easy for the user but hard to crack. Your thoughts on that?
Incredible use of memes, 100/10
As someone who developed a working cross-platform brute forcing script it is really easy to break into accounts even if its a "level 1" hacking method.
aaaa why are your drawings so adorablee ,w,
2:03 No, if you just delete it permanently, it is retrievable, and recoverable, even if it’s overwritten, so instead you smash the hard drive or SSD and destroy it into oblivion, or in more violent situations, the entire computer.
Awesome video man. New subscriber ✌🏻
For brute force, do special characters really help that much? The alphabet, lower and upper case, give you 52 characters, numbers give you an additional 10, and so do the standard 10 special characters. Wouldn't it be better to just add more characters?
Don't forget about side channel attacks
Yippie!! Finally I can crack the password of my pc I lost 2 years ago and didn't totally just found it
Alternative method: Tortur- "Enhanced Interrogation Techniques"
I thought brute force attacks were almost complete useless now due to systems having limited wrong attempts before locking the account and sending out warnings.
Dumper Diving works wonders in immersive sim games.
thanks, taking notes
7:02 dictionary attack 🤣🤣
Hacker: "if it's not 0% then it's like 100%"
Mentioning rainbow tables on pride month is a genius move.
So that's why micros*ft tracks everything one does including his keyboard!
i pulled off the shoulder surfing on my friend
can't beleive that happened
To be clear, any divice works for dumpster diving. Cheap smart divices hold your wifi passwords, usally unencrypted. Also the part about him destorying the divice isnt a joke. Deleting files from a hard drive doesn't delete them. And even writing over them isnt always effective. Ssd's should be fine with wiping tho (not sure check yourself)
Why did my wifi crash once you said wifi eavesdropping??
Ardens what did you do ?